sftpfs: fix bad pointer arithmetic in config parser.

When reading ssh_config with matching host entry mc do bad pointer arithmetic.
Fix it! (Also move offsetof values into struct to reduce human mistakes.)

==18689==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000004910 at pc 0x000000641a8b bp 0x7ffca4ab65e0 sp 0x7ffca4ab65d8
WRITE of size 8 at 0x604000004910 thread T0
    #0 0x641a8a in sftpfs_fill_config_entity_from_string /tmp/portage/app-misc/mc-9999/work/mc-9999/src/vfs/sftpfs/config_parser.c:169:30
    #1 0x6413cf in sftpfs_fill_config_entity_from_config /tmp/portage/app-misc/mc-9999/work/mc-9999/src/vfs/sftpfs/config_parser.c:271:13
    #2 0x640b73 in sftpfs_get_config_entity /tmp/portage/app-misc/mc-9999/work/mc-9999/src/vfs/sftpfs/config_parser.c:310:14
    #3 0x64067d in sftpfs_fill_connection_data_from_config /tmp/portage/app-misc/mc-9999/work/mc-9999/src/vfs/sftpfs/config_parser.c:354:21
    #4 0x61ef95 in sftpfs_cb_open_connection /tmp/portage/app-misc/mc-9999/work/mc-9999/src/vfs/sftpfs/vfs_subclass.c:111:5
    #5 0x7f1340c31beb in vfs_s_get_path /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/vfs/direntry.c:1139:18
    #6 0x7f1340c3685c in vfs_s_inode_from_path /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/vfs/direntry.c:380:9
    #7 0x7f1340c34807 in vfs_s_opendir /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/vfs/direntry.c:409:11
    #8 0x7f1340c34ce8 in vfs_s_chdir /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/vfs/direntry.c:476:12
    #9 0x7f1340c3a29f in mc_chdir /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/vfs/interface.c:687:14
    #10 0x530f64 in _do_panel_cd /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/panel.c:3250:9
    #11 0x530e4e in do_panel_cd /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/panel.c:4627:9
    #12 0x532d34 in do_cd /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/panel.c:5027:11
    #13 0x50b64b in do_cd_command /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/command.c:445:14
    #14 0x50c516 in enter /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/command.c:265:9
    #15 0x52704c in midnight_callback /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/midnight.c:1473:17
    #16 0x7f1340c4c761 in dlg_key_event /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/dialog.c:505:15
    #17 0x7f1340c4cc32 in frontend_dlg_run /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/dialog.c:570:9
    #18 0x7f1340c4c935 in dlg_run /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/dialog.c:1267:5
    #19 0x52654d in do_nc /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/midnight.c:1757:9
    #20 0x4f7d8a in main /tmp/portage/app-misc/mc-9999/work/mc-9999/src/main.c:401:21
    #21 0x7f133f1b8953 in __libc_start_main (/lib64/libc.so.6+0x20953)
    #22 0x427368 in _start (/tmp/portage/app-misc/mc-9999/work/mc-9999/src/.libs/mc+0x427368)

Signed-off-by: Andreas Mohr <and@gmx.li>
Signed-off-by: Andrew Borodin <aborodin@vmail.ru>
This commit is contained in:
Andreas Mohr 2016-01-11 20:49:06 +00:00 committed by Andrew Borodin
parent 0fb104d2b3
commit 924a84a3b4

View File

@ -79,17 +79,18 @@ static struct
size_t offset;
} config_variables[] =
{
{"^\\s*User\\s+(.*)$", NULL, STRING, 0},
{"^\\s*HostName\\s+(.*)$", NULL, STRING, 0},
{"^\\s*IdentitiesOnly\\s+(.*)$", NULL, BOOLEAN, 0},
{"^\\s*IdentityFile\\s+(.*)$", NULL, FILENAME, 0},
{"^\\s*Port\\s+(.*)$", NULL, INTEGER, 0},
{"^\\s*PasswordAuthentication\\s+(.*)$", NULL, BOOLEAN, 0},
{"^\\s*PubkeyAuthentication\\s+(.*)$", NULL, STRING, 0},
{"^\\s*User\\s+(.*)$", NULL, STRING, offsetof (sftpfs_ssh_config_entity_t, user)},
{"^\\s*HostName\\s+(.*)$", NULL, STRING, offsetof (sftpfs_ssh_config_entity_t, real_host)},
{"^\\s*IdentitiesOnly\\s+(.*)$", NULL, BOOLEAN, offsetof (sftpfs_ssh_config_entity_t, identities_only)},
{"^\\s*IdentityFile\\s+(.*)$", NULL, FILENAME, offsetof (sftpfs_ssh_config_entity_t, identity_file)},
{"^\\s*Port\\s+(.*)$", NULL, INTEGER, offsetof (sftpfs_ssh_config_entity_t, port)},
{"^\\s*PasswordAuthentication\\s+(.*)$", NULL, BOOLEAN, offsetof (sftpfs_ssh_config_entity_t, password_auth)},
{"^\\s*PubkeyAuthentication\\s+(.*)$", NULL, STRING, offsetof (sftpfs_ssh_config_entity_t, pubkey_auth)},
{NULL, NULL, 0, 0}
};
/* *INDENT-ON* */
/* --------------------------------------------------------------------------------------------- */
/*** file scope functions ************************************************************************/
/* --------------------------------------------------------------------------------------------- */
/**
@ -131,9 +132,8 @@ sftpfs_correct_file_name (const char *filename)
/* --------------------------------------------------------------------------------------------- */
/* FIXME: is pointer arith correct here? */
#define POINTER_TO_STRUCTURE_MEMBER(type) \
((type) (config_entity + (off_t) config_variables[i].offset))
((type) ((char *) config_entity + (size_t) config_variables[i].offset))
/**
* Parse string and filling one config entity by parsed data.
@ -399,16 +399,6 @@ sftpfs_fill_connection_data_from_config (struct vfs_s_super *super, GError ** mc
void
sftpfs_init_config_variables_patterns (void)
{
size_t structure_offsets[] = {
offsetof (sftpfs_ssh_config_entity_t, user),
offsetof (sftpfs_ssh_config_entity_t, real_host),
offsetof (sftpfs_ssh_config_entity_t, identities_only),
offsetof (sftpfs_ssh_config_entity_t, identity_file),
offsetof (sftpfs_ssh_config_entity_t, port),
offsetof (sftpfs_ssh_config_entity_t, password_auth),
offsetof (sftpfs_ssh_config_entity_t, pubkey_auth)
};
int i;
for (i = 0; config_variables[i].pattern != NULL; i++)
@ -417,7 +407,6 @@ sftpfs_init_config_variables_patterns (void)
mc_search_new (config_variables[i].pattern, DEFAULT_CHARSET);
config_variables[i].pattern_regexp->search_type = MC_SEARCH_T_REGEX;
config_variables[i].pattern_regexp->is_case_sensitive = FALSE;
config_variables[i].offset = structure_offsets[i];
}
}